The present invention, in some embodiments thereof, relates to a system and method for detecting fraudulent activity on telephony networks and, more particularly, but not exclusively, to detection of fraud that tries to take advantage of the seams between networks in the case of users roaming on a visited network which is different from their home network.
There are many possible ways in which telephony fraud may be carried out. Some of the mobile fraud scenarios involving SS7 hacking, i.e. sending SS7 messages, usually at the level of the MAP and CAMEL protocols. One of the fraud risks involves the removal of cross-network triggering, for example CAMEL triggers, from the subscriber profile. CAMEL is an inter-network protocol. When a subscriber is in roaming, and places a call (Mobile Originated—MO), then a trigger is sent from the serving MSC to the home network SCP, to allow control of the call. The home network may then either confirm or reject the call. The home network may act upon the trigger, for example to decide whether it is possible to activate real-time charging for prepaid users, the prepaid case being the most common usage for CAMEL.
CAMEL may also be used for fraud detection—for controlling calls to premium numbers for example, which are fraudulently placed without the knowledge of the subscriber.
Reference is now made to FIG. 1, which illustrates one of the ways a potential fraudster may act. The fraudster may act to remove the CAMEL triggers from the subscriber profile. This may for example be achieved by:
(1) obtaining the IMSI of the subscriber, by sending a query to the HLR with the subscriber MSISDN (the cellular number)—step 1, and
(2) sending a fake subscriber profile—step 2—to the serving VLR (or VMSC), using the ISD MAP command and an SRI4SM (send routing information for short message). The attacker has the IMSI and knows the VMSC, and thus is able to send a MAP ISD or DSD signal to delete Camel from the profile. Specifically the information that is deleted may include the O-CSI (originating camel subscription information) Thus the CAMEL trigger is deleted from the profile of the unsuspecting users.
After the attacker has removed the CAMEL trigger, the home network no longer has real-time control for the calls made by its outbound roamers. Now, the fraudster may carry out the second phase of the fraud. One of the scenarios is shown with reference to FIG. 2.
Firstly, the attacker changes the FTN (forward To Number) of the subscriber in the subscriber profile, a number that is supposed to be used to forward calls to the subscriber's voicemail when the line is busy, but instead, the attacker changes the FTN to a premium number of the attacker's choice. Then, the attacker sends first 10 and second 15 PRN requests to the serving VLR, emulating the case of 2 consecutive MT calls for the subscriber. The attacker initiates a call 20 to MSRN1, the mobile temporary number allocated by the serving MSC as part of a normal call procedure. Then, after the subscriber answers the call, the attacker immediately initiates a second voice call 25 to the subscriber. Now, the subscriber status is busy as the subscriber is answering the first call, so this second call is forwarded 30 to the number defined as the FTN, supposedly the victim's voicemail but actually the attacker's premium number, all this without the knowledge of the subscriber. The second call remains connected to the premium number for as long as the attacker chooses, and the subscriber-victim ends up receiving the charges for a premium number he never called. No Camel triggers are sent so the home network does not detect that a premium number has been called.
ISD insert subscriber data is where the attacker inserts his premium number as the forward to on busy number.
Now it is not possible to find out at the home network where the call has been forwarded to in the above scenario. Even if it were possible it would not be possible to determine that certain forwarding numbers are suspicious and others not.
Furthermore it is not possible to conclude that fraud is taking place simply by determining that a Camel trigger is absent. Emergency calls for example quite legitimately do not generate Camel triggers, and thus blindly disconnecting all calls for which a CAMEL trigger has not been generated would forcibly terminate all emergency calls, which is clearly an unacceptable solution.